Find out the best practices for conducting penetration testing for your business or organization.
Understanding your organization’s cybersecurity posture is becoming more important every day. So how do you know how secure your IT infrastructure really is?
One way to get a glimpse into your organization’s security is penetration testing: pretending (or hiring someone to pretend) to be a hacker, attempting to infiltrate your organization’s physical and cyber systems however possible.
“Pen testing” lets you understand your organization’s cybersecurity measures so you can avoid cybersecurity threats, and in many cases, so you can stay compliant.
Indeed, pen testing is required for compliance with numerous security frameworks such as SOC 2, HIPAA, PCI-DSS, ISO, and others. Exactly which requirements you need to meet depends on the certification, but a penetration test is generally a good idea for any organization looking to bolster its cybersecurity efforts.
What Is a Penetration Test?
A penetration test is a controlled, simulated attack carried out (internally or externally) by penetration testers to identify and test any vulnerabilities in your IT security. The goal of a pen test is to see where your security vulnerabilities are, so you can repair them before cybercriminals exploit those weaknesses.
Pen tests are an important component of a full security audit. They uncover security issues that could be exploited by malicious actors, by posing as those very actors and attempting to penetrate your systems.
A penetration test can help you gain assurance into your organization’s vulnerability assessment and management processes, but it should not be viewed as a primary method for identifying vulnerabilities.
To identify, quantify, and prioritize vulnerabilities in your system, you’ll first need a vulnerability assessment. A vulnerability assessment is an automated scan that categorizes key assets and ultimately drives your risk management process.
After a vulnerability scan, a penetration test can help you get a deeper understanding of the holes in your organization’s defense. Pen tests are significantly more in-depth than vulnerability assessments; and unlike automated scanning software, pen testers can ask questions when something doesn’t seem quite right.
Penetration tests are usually carried out by trained security experts or ethical hackers — pen testers — who work for companies that provide penetration testing for organizations like yours. On your behalf and with your permission, pen testers will systematically attempt to penetrate your network security, applications, or other computing resources. They can help your organization determine which of your security measures are effective, which need to be updated, and which contain vulnerabilities that can be exploited.
Your organization should seek penetration testing from a certified ethical hacker for the most trusted results. A Certified Ethical Hacker (CEH) is best suited for the role of penetration tester, but other appropriate certifications include a Certified Information Systems Auditor (CISA) and GIAC Security Essentials certifications.
Ideally, you should already know what a pen tester is going to find before he or she finds it. Penetration testing services can help arm you with a good understanding of the vulnerabilities present in your system by verifying your own expectations before the pen test takes place.
At the end of a penetration test, you should receive a full report from your pen testers. That report should include recommendations for remediation of any vulnerabilities that were successfully exploited.
The first step toward conducting a penetration test is gaining a deeper understanding into the nuances of penetration testing. Before we offer advice on the best practices for penetration testing, we’ll take a look at the different types of pen tests and strategies that pen testers use to help your organization stay on top of vulnerabilities.
What Are the Types of Penetration Testing?
There are several standard methodologies for conducting penetration tests, including the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration testing Execution Standard (PTES), the National Institute for Standards and Technology (NIST) Special Publication 800-115, the Information Systems Security Assessment Framework (ISSAF) and the Open Web Application Security Project (OWASP) Testing Guide.
Pen testers carrying out penetration tests are usually armed with varying amounts of information about your organization’s system. Which type of penetration test to conduct is up to you, but each comes with a number of pros and cons.
Black Box Testing
During black box penetration testing, your organization wouldn’t share any information with the pen testers about your internal operations. This type of test is performed from strictly an external perspective, and it’s aimed at identifying ways to access your organization’s internal IT assets.
Black box testing accurately models the risk faced from unknown or unaffiliated attackers because penetration testers don’t start with any pre-existing information about your organization.
That said, the lack of information shared during black box testing may result in undiscovered vulnerabilities.
White Box Testing
In white box testing, your organization shares full information with the pen testers, including the existence of known software vulnerabilities and common misconfigurations in your organization’s systems. This model of testing aims to confirm the efficacy of internal vulnerability assessment and management controls.
White box testing simulates cyberattacks from a malicious actor who has insider knowledge and possibly the basic credentials for your organization’s system.
As one of the primary testing methods used today, white box testing has several advantages: it’s easy to automate, and it also provides clear, engineering-based rules for when to stop testing.
White box testing also has the potential to miss some vulnerabilities altogether, and it’s not always realistic to test every single existing condition. Ultimately, white box testing focuses on the software as it exists, and may not necessarily discover any missing functionality.
Gray Box Testing
A gray box penetration test is a combination of white and black box testing models. In gray box testing, you share limited knowledge of your organization with the penetration testers.
Gray box testing is a form of unbiased testing, meaning that it maintains a clear boundary between the tester and the developer.
The combined effects of gray box testing make it appealing to many organizations because it offers advantages from both white box and black box testing.
External Network Testing
An external network penetration test focuses on the security of your network perimeter and the effectiveness of your firewalls, routers, intrusion detection systems (IDS), operating systems, and services available to the internet or untrusted networks. External network tests are carried out externally, from outside your organization, and usually includes internet testing of web applications.
During an external network test, pen testers act like hackers who are not familiar with your internal system. You provide them with the IP of your target system, and usually nothing else.
Pen testers conducting external network testing will simulate attacks on servers, firewalls, and IDS by first searching and scanning public websites to find information about your target hosts and then attempting to compromise the hosts once they’re located.
Internal Network Testing
An internal network penetration test examines the security of your internal networks and systems, mirroring actual attack scenarios launched from an internal source. This type of penetration test is carried out within your organization, and can help you identify vulnerabilities in your corporate firewall as well as the security of your wireless LAN infrastructure.
Because cyberattacks most often occur externally, organizations often ignore internal pen tests. Conducting internal network penetration tests, however, can help your organization protect itself from an attack by a disgruntled employee or contractors who are aware of internal security policies and passwords.
Wireless Testing
A wireless penetration test identifies and examines the connections among all the devices connected to your organization’s wireless network. This includes laptops, tablets, smartphones, and any Internet of Things (IoT) devices.
Because the pen tester needs to be in range of the wireless signal to gain access, wireless testing is usually performed on site.
What Are Penetration Test Strategies?
Let’s take a look at some of the strategies that pen testers use when conducting penetration tests.
Social Engineering
Social engineering encompasses a broad range of malicious activities accomplished via human interactions, relying on psychological manipulation to trick targets into making security mistakes or giving away sensitive information.
As a penetration testing strategy, social engineering tactics focus on the vulnerabilities in your organization that are associated with people and processes. Typically, during a pen test, pen testers will conduct a variety of different social engineering attacks including phishing, impersonation, or USB drops to identify potential vulnerabilities.
Port Scanning
Port scanning is the process of identifying what ports are open on a target system, and determining what services those ports are running. Like an opening that allows entry into a house, ports on a computer allow certain services to run on certain ports.
When port scanning, pen testers try to answer these questions:
- What ports are open?
- What services are running on these ports?
- What versions of those services are running?
Once these questions have been answered, pen testers can use common knowledge about which ports are open to conduct brute force attacks and gain entry into the system.
SQL Injection
SQL injection is an application security weakness that allows hackers to control an application’s database. One of the most common threats to data security, SQL injection tricks applications into sending unexpected SQL commands, letting a hacker access or delete data, or change an application’s data-driven behavior.
A pen tester will identify SQL injection vulnerabilities in web applications, so you can prevent attackers from accessing or controlling data without authorization.
Antivirus Evading
Antivirus software is one of the oldest and most prevalent security controls against various types of malware. Penetration testers use a number of techniques to gain access into systems protected by antivirus software, including using administered toolkits or evading virus signatures altogether.
This technique will allow your organization to see just how effective your antivirus software really is at keeping your data safe.
How Do I Conduct a Penetration Test?
As mentioned before, it’s best to entrust pen testing to a certified ethical hacker. While it may be tempting to conduct a penetration test using your existing security team, you should hire an external and reputable penetration testing service to assure you get the best results.
To prepare for a penetration test, you also need a current vulnerability assessment to share with pen testers before the test begins. This will allow them to design the penetration test so that it uses the findings of your vulnerability assessment.
A typical penetration test will follow this pattern: initial engagement, scoping, testing, reporting, and follow up.
Initial engagement will include evaluating the penetration tester to ensure the team is qualified, as well as divulging information to your pen tester about any unusual systems.
Scoping establishes the goals of your penetration test, any areas of special concern, and technical boundaries; as well as determining which tests will provide you with the fullest picture of your vulnerabilities.
The scoping phase should help you to produce a plan of action that includes:
- The technical boundaries of the penetration test.
- The type of test or tests expected.
- The timeframe and the amount of effort required to conduct the test.
- Scenarios or specific “use cases” to test.
- The pen testing team’s requirements.
- Compliance or legislative requirements that the testing plan must meet.
- Specific reporting requirements.
- Time constraints on testing or reporting.
Once you’ve outlined your expectations, testing will begin.
The primary goal of penetration testing is to find or confirm vulnerabilities in your organization that could be exploited by a malicious actor. To do so, ethical hackers use the same hacking skills that cybercriminals might use to attack your organization.
During a penetration test, an experienced pen tester will typically conduct the following measures to evaluate the security of a system:
- Reconnaissance: gathering information about your organization to better attack your systems.
- Scanning: using technical tools to further the pen tester’s knowledge of your system.
- Gaining access: using the data gathered in the reconnaissance and scanning phases to exploit your system.
- Maintaining access: working to stay inside your environment to gather as much data as possible.
- Covering tracks: clearing any trace of the intrusion, including data and event logs.
After the pen test is complete, the pen testing team will submit a test report that should include the following:
- Any security issues that were uncovered during testing.
- An assessment of the level of risk to which each vulnerability exposes your organization, and a severity rating.
- A method for resolving each identified issue.
- An opinion on the accuracy of your organization’s vulnerability assessment.
- Advice on how to improve your internal vulnerability assessment process.
You should always conduct a follow-up assessment after a penetration test. Your organization’s vulnerability management team should assess the test report to make decisions on how to fix the problems.
Vulnerability risk assessment and risk mitigation are critical business processes that shouldn’t be entirely outsourced to a penetration testing team. Your own technical staff can provide alternatives and help determine the optimal solutions for your organization.
Trust ZenGRC for Your Business Cybersecurity
Whether your organization is seeking certification from a compliance framework that requires penetration testing, or you want to conduct a penetration test for peace of mind, governance, risk management, and compliance (GRC) software make the process of pen testing less stressful for you and your team.
ZenGRC from Reciprocity is a software-as-a-service that continuously scrutinizes your networks and systems against the most critical and widely used compliance frameworks, including PCI DSS, SOC, HIPAA, ISO, and more.
A color-coded dashboard shows at a glance how you can fill compliance gaps, and updates automatically as the frameworks change.
ZenGRC even collects and stores penetration test and audit findings along with your other audit trail information in a “single source of truth” repository; no more hunting for documentation come audit time!
In addition to providing basic guidelines for implementing and managing your compliance frameworks, ZenGRC also provides documented best practices for you and your organization. It even gives you updates and in-the-moment insights regarding the threat landscape, so you can respond quickly to real-world changes in threats and vulnerabilities.
ZenGRC also integrates with several vulnerability scanner applications, including Qualys, to streamline the assessment of controls when you need to prove that you have an effective vulnerability management program.
Suddenly, penetration testing just got a lot more simple.
With ZenGRC, you can let the software do the compliance heavy lifting, and turn your attention toward keeping your customers and clients happy.
Schedule a free demo today to see if ZenGRC can help your organization conduct penetration testing in a more efficient and manageable way — the Zen way.